[CentOS] [CentOS-announce] CVE-2014-0160 CentOS 6 openssl heartbleed workaround
Peter
peter at pajamian.dhs.org
Wed Apr 9 20:12:38 UTC 2014
On 04/10/2014 03:09 AM, Markus Falb wrote:
>
> I am assuming that client certificates are handed out to staff. Basically you can't
> really control where people install client certificates and which client software is used.
> If one is tricked to do a SSL Handshake with a malicious server, the key of the client
> certificate is leaked. Reissue of the cert won't help because on the other day there
> would be another malicious handshake with another bad server...
No, the server never sees a private client certificate, it only ever has
access to the public certificate, which by its very nature of being
public doesn't really matter if it gets leaked. No vulnerability on the
server can expose a private client certificate, only a vulnerability on
the client can.
Peter
More information about the CentOS
mailing list